Transition to new 27001

With the publication of ISO/IEC 27002:2022, an amendment to ISO/IEC 27001 is expected soon, which will update the content of Annex A to align the controls with those in the new edition of ISO/IEC 27002. For continued conformity with ISO/IEC 27001, organisations will then be obliged to recompare their necessary controls with those in the new Annex A and amend their ISMS, including their Statements of Applicability (SOA) as appropriate. As this change impacts on conformity assessment, the IAFInternational Accreditation Forum will issue a transition statement at about the same time. It is anticipated that organisations will have two years to make the change.

Want to know more?

Purpose of ISO/IEC 27001, Clauses 6.1.3 c) and d)

ISO/IEC 27001, Clause 6.1.3 c) requires organisations to compare their necessary controls with those in Annex A to determine if any necessary control has been inadvertently omitted. Since the content of Annex A has changed, the comparison process must be redone.

ISO/IEC 27001, Clause 6.1.3 d) requires organisations to produce a Statement of Applicability (SOA) that contains the necessary controls and justifies any excluded Annex A controls.

Possible outcomes of the recomparision process

The most likely outcome of the recomparision process is that it discovers several necessary control omissions and a need to revise or add further justification for excluded Annex A controls. In this case:

the risk assessment/risk treatment process must be reworked to include the omissions;
the omitted controls must be implemented; and
the SOA updated accordingly.

The amount of work required could be significant, which explains what at first view might appear to be a generous transition period.

It is theoretically possible that the recomparision process does not discover any necessary control omissions, for example because the ISMS is a mature ISMS and regular reassessments of risk have kept the ISMS up-to-date with changes in the threat landscape. However, because of subtle wording differences in the revised control text, it also implies that the organization was able to second guess the content of ISO/IEC 27002:2022.

An example is the control text for A.5.1 (Policies for information security). Compared to A.5.1.1 in the previous edition of Annex A, the revised control states that polices should be acknowledged as well as communicated to relevant personnel.

This is one reason why BSI advocates performing the recomparison process and not relying on the mapping tables in ISO/IEC 27002 to update the SOA.

The new control set in ISO/IEC 27001 Annex A does not constitute a new set of control requirements. Nevertheless, changes will be required if, following recomparison, you discover any necessary control omissions, and need to justify any further Annex A exclusions.

The first step is to assess the impact of the changes on your ISMS. The most likely outcome is that your will need to rework your risk assessment and risk treatment processes, implement new controls and update your SOA.

When is the best time to do this?

The new edition of ISO/IEC 27001 is not expected until April-June 2022 and the transition period will not start until then. This implies that you have until mid-2024 to make any necessary changes. However, the risk is not a certification risk, it is an information security risk. If recomparison with the new control set discovers any omitted necessary controls, not implementing them now could mean that you are running unnecessary information security risks. ISO/IEC 27002 is available now, so you know what will be in the new Annex A. It is therefore prudent to carry out your impact assessment now.

What should I do now?

How can IMS-Smart help?

We have assisted many organisations to develop their ISMS and have provided training in the UK, Norway, Latvia, Germany, Switzerland, Saudi Arabia, Kuwait, Qatar, Mauritius, India, South Korea and Singapore.

How can I find out more and obtain a quotation?

Please use our enquiry facility or send us an email to start a conversation. We can continue by telephone or video conferencing. Once we understand your requirements, we will be pleased to prepare a quotation and submit it for your consideration. Hopefully, you will find that it is competitive, and offers quality and value for money.





		Act now to avoid unnecessary exposure to information security risk
		HOME SERVICES Why IMS-Smart Consultancy and training Productised IP-led IMS Service Software-as-a-service IMS-Smart On-Line Quality attributes Brochure Product video Monthly subscription fees IMS-Smart Assistant Why it works Brochure Downloads Free session trials Cyber essentials MARKETPLACE Featured service Assistant registration IMS On-Line registration Book catalogue STANDARDS ISO/IEC 27001 ISMS Requirements Statement of Applicabiilty Risks and opportunities Risk treatment plans ISO/IEC 27002 Controls ISO/IEC 27004 Measurements ISO/IEC 27007 Auditing ISO/IEC 27014 Governance PHILOSOPHY Overview Architecture Time theory Opportunity exploitation Risk treatment Taxonomies Alternative ideas lists Effectiveness Continual improvement Auditing Implementation strategies CORPORATE About us Customers Papers Enquiries IMS-Smart Suzuki motorcycle ≡
		Already have an ISMS? perhaps we can help you create a better one!

	Transitioning your ISMS for the new edition of ISO/IEC 27001 With the publication of ISO/IEC 27002:2022, an amendment to ISO/IEC 27001 is expected soon, which will update the content of Annex A to align the controls with those in the new edition of ISO/IEC 27002. For continued conformity with ISO/IEC 27001, organisations will then be obliged to recompare their necessary controls with those in the new Annex A and amend their ISMS, including their Statements of Applicability (SOA) as appropriate. As this change impacts on conformity assessment, the IAFInternational Accreditation Forum will issue a transition statement at about the same time. It is anticipated that organisations will have two years to make the change. Want to know more? Purpose of ISO/IEC 27001, Clauses 6.1.3 c) and d) ISO/IEC 27001, Clause 6.1.3 c) requires organisations to compare their necessary controls with those in Annex A to determine if any necessary control has been inadvertently omitted. Since the content of Annex A has changed, the comparison process must be redone. ISO/IEC 27001, Clause 6.1.3 d) requires organisations to produce a Statement of Applicability (SOA) that contains the necessary controls and justifies any excluded Annex A controls. Possible outcomes of the recomparision process The most likely outcome of the recomparision process is that it discovers several necessary control omissions and a need to revise or add further justification for excluded Annex A controls. In this case: the risk assessment/risk treatment process must be reworked to include the omissions; the omitted controls must be implemented; and the SOA updated accordingly. The amount of work required could be significant, which explains what at first view might appear to be a generous transition period. It is theoretically possible that the recomparision process does not discover any necessary control omissions, for example because the ISMS is a mature ISMS and regular reassessments of risk have kept the ISMS up-to-date with changes in the threat landscape. However, because of subtle wording differences in the revised control text, it also implies that the organization was able to second guess the content of ISO/IEC 27002:2022. An example is the control text for A.5.1 (Policies for information security). Compared to A.5.1.1 in the previous edition of Annex A, the revised control states that polices should be acknowledged as well as communicated to relevant personnel. This is one reason why BSI advocates performing the recomparison process and not relying on the mapping tables in ISO/IEC 27002 to update the SOA. The new control set in ISO/IEC 27001 Annex A does not constitute a new set of control requirements. Nevertheless, changes will be required if, following recomparison, you discover any necessary control omissions, and need to justify any further Annex A exclusions. The first step is to assess the impact of the changes on your ISMS. The most likely outcome is that your will need to rework your risk assessment and risk treatment processes, implement new controls and update your SOA. When is the best time to do this? The new edition of ISO/IEC 27001 is not expected until April-June 2022 and the transition period will not start until then. This implies that you have until mid-2024 to make any necessary changes. However, the risk is not a certification risk, it is an information security risk. If recomparison with the new control set discovers any omitted necessary controls, not implementing them now could mean that you are running unnecessary information security risks. ISO/IEC 27002 is available now, so you know what will be in the new Annex A. It is therefore prudent to carry out your impact assessment now. What should I do now? acquire a copy of ISO/IEC 27002:2022 and read the BSI White Paper; compare your necessary controls with the ISO/IEC 27002:2022 controls; determine if you have any missing necessary controls; determine if any further justification is required for excluded Annex A controls; hence assess the impact that the new ISO/IEC 27001 Annex A will have on your ISMS; prioritise the changes based on your organisation's exposure to risk; draw up plans for implementing any required changes; and execute those plans according to your established priorities. How can IMS-Smart help? As part of our provision of expert ISMS consultancy, IMS-Smart can: guide you through the transition process; help you to make a correct assessment of the changes required; and assist you to assign priorites in accordance with your exposure to risk and business needs. We have assisted many organisations to develop their ISMS and have provided training in the UK, Norway, Latvia, Germany, Switzerland, Saudi Arabia, Kuwait, Qatar, Mauritius, India, South Korea and Singapore. How can I find out more and obtain a quotation? Please use our enquiry facility or send us an email to start a conversation. We can continue by telephone or video conferencing. Once we understand your requirements, we will be pleased to prepare a quotation and submit it for your consideration. Hopefully, you will find that it is competitive, and offers quality and value for money.





This site does not use cookies, but if you logon to an IMS-Smart product you consent to that site setting authentication session cookies
© IMS-Smart Limited, 2022
Page last updated: February 4, 2022

Logon to your IMS-Smart product
USER NAME
PASSWORD
Don’t have an IMS-Smart product? Learn more, register an evaluation copy, read the books.

Search the ims-smart.com website
SEARCH TEXT

Act now to avoid unnecessary exposure to information security risk